intro to ecat
DESCRIPTION
A brief presentation on how ECAT fills the detection gap between AV and ForensicsTRANSCRIPT
ECAT – Enterprise Compromise Assessment
Chad Loeven, VP Sales and MarketingPascal Longpre, Founder and CTO
Enterprise security todayAV on desktop and server
Firewall
IPS SIEM
• Bluetooth and WiFi can bypass in-line devices
• Inline devices can’t identify what happened on the host in a compromise
Kaspersky – Rated #1 AV overall
>42% of all new malware passed
through undetected
ECAT fills the detection gap
Incident -> Rapid breach detection Recovery Forensics
The ECAT solution: no signatures• Host-based Deep Scan
• Network traffic
• Live Memory Analysis
• Machine Suspect Level
ECAT Agent
ECAT Agent
ECAT AgentECAT Agent
ECAT Agent
ECAT Agent
ECAT Agent ECAT Agent
ECAT Overview – server and agent
Report over SSL
UDP heartbeat
Server-side analysis of the endpoint
ECAT – Baselines and whitelists
Whitelisting:• Bit9 Global Software Registry (GSR)• NIST database of known-good hashes• ECAT whitelist including Microsoft MSDN
• Server-side Cert validation
• Opswat Metascan scans against 6 or more AV engines
ECAT – Enterprise Compromise Assessment
Full System Inventory
Live Memory Analysis
Direct physical disk inspection
Certificate Validation
Application Whitelisting
Multi-engine AV scan
Network Traffic analysis
• Rapid Breach Detection
• Signature-less
• Fills the gap in desktop defense
• Actionable information -fast
• Remediation
in a Finding an evil
haystack
ECAT – Enterprise Compromise Assessment
www.siliciumsecurity.com